search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
250 stars 107 forks source link

Does jsign support generating a PKCS7 structure? #154

Closed littlell closed 1 year ago

littlell commented 1 year ago

I just want to sign a digest string to a PKCS7 result, instead of signing a execute file like exe etc, thanks!

ebourg commented 1 year ago

For now Jsign is focused on code signing using Microsoft Authenticode. The scope of the project may be expanded to other file formats in the future (like JAR, PDF or even raw files), but it's not a priority.

littlell commented 1 year ago

For now Jsign is focused on code signing using Microsoft Authenticode. The scope of the project may be expanded to other file formats in the future (like JAR, PDF or even raw files), but it's not a priority.

Thanks for your reply, now we met a problem, the case is:

A windows program calculate the target exe's message digest, like sha1 or sha256, and then send the digest to the saas java code signing service, so the java side accept the digest as a input parameter, not the entire exe file, so the java service need to calculate a PKCS7 result for the digest, and finally return the pkcs7 to the windows program, the windows program will append the PKCS7 result to the target exe file.

How can I use jsign for this case? thanks!

ebourg commented 1 year ago

I don't think you need Jsign in this case, you can directly use Bouncy Castle.

littlell commented 1 year ago

I don't think you need Jsign in this case, you can directly use Bouncy Castle.

Yeah, I used Bouncy Castle to do the PKCS7, but we met error when we analyzed the P7 structure by a windows program, so I'm not sure whether it's different for the standard BC and jsign when making PKCS7 result.

thanks!

ebourg commented 1 year ago

What program do you use on Windows to check the signature?

littlell commented 1 year ago

What program do you use on Windows to check the signature?

when parsing the P7 we met a crash,by debuging we found that the p7 lost some fields.

the verify tool is written by ourselves.

thanks

littlell commented 1 year ago

I just want to ask whether there is a difference between standard bc and jsign when calculate the p7 thanks

ebourg commented 1 year ago

Jsign uses Bouncy Castle to generate the PKCS#7 signature, but the way the file is hashed is specific to Authenticode.

littlell commented 1 year ago

Jsign uses Bouncy Castle to generate the PKCS#7 signature, but the way the file is hashed is specific to Authenticode.

OK, thanks

The problem may come from the windows p7 check program